| Age | Commit message (Collapse) | Author |
|---|
|
be included.
neitnet6/{ip6,icmp6}.h includes #error statements only - i'll remove them
couple of days later.
|
|
on, which will be happy for the future. bindresvport_sa() for sockaddr *, too. docs later..
|
|
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.
|
|
|
|
|
|
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.
|
|
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).
|
|
follow-up commit).
|
|
|
|
|
|
|
|
|
|
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.
GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).
|
|
|
|
|
|
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.
|
|
support, when IPSEC is compiled in. The default is disabled. Turn on with:
sysctl -w net.inet.ip4.allow=1
***Only*** do this if you are really knowing what you do!
This control does not control the tunnel modes of ESP and AH.
|
|
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.
|
|
Let's not encourage the use of an obsolete convention.
|
|
a few extras that are just plain useful. Note that I used u_intxx_t instead of
the POSIX p1003.1g uintxx_t that those specs mandate, so as to not increase the
number of outside symbol definitions that in.h depends on.
|
|
|
|
|
|
|
|
|
|
|
|
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.
|
|
|
|
and suseconds_t types for XPG4.2.
|
|
in_addr_t is for (same basic type so we don't break anything).
|
|
not rpc-specific and other stuff uses it now.
|
|
|
|
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
|
"... Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call. The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).
The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast,
net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.]
This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.
The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it."
|
|
|
|
and gated wants it to there ;)
|
|
|
|
|
|
|
